bridge, spoof check: remove drop rule index

maiqueb · maiqueb · commit cac8230e7c1f · 2023-04-04T17:10:08.000+02:00
Rules are appendend by default, thus using an index is redundant.
Using an index also requires the full NFT cache, which causes a CNI ADD
to be extremely slow.

Signed-off-by: Miguel Duarte Barroso &lt;mdbarroso@redhat.com&gt;
diff --git a/pkg/link/spoofcheck.go b/pkg/link/spoofcheck.go
@@ -195,12 +195,10 @@ func (sc *SpoofChecker) matchMacRule(chain string) *schema.Rule {
 }
 
 func (sc *SpoofChecker) dropRule(chain string) *schema.Rule {
-	macRulesIndex := nft.NewRuleIndex()
 	return &schema.Rule{
 		Family: schema.FamilyBridge,
 		Table:  natTableName,
 		Chain:  chain,
-		Index:  macRulesIndex.Next(),
 		Expr: []schema.Statement{
 			{Verdict: schema.Verdict{SimpleVerdict: schema.SimpleVerdict{Drop: true}}},
 		},
diff --git a/pkg/link/spoofcheck_test.go b/pkg/link/spoofcheck_test.go
@@ -254,7 +254,6 @@ func assertExpectedRulesInSetupConfig(c configurerStub) {
                     "comment":"macspoofchk-container99-net1"}},
                 {"rule":{"family":"bridge","table":"nat","chain":"cni-br-iface-container99-net1-mac",
                     "expr":[{"drop":null}],
-                    "index":0,
                     "comment":"macspoofchk-container99-net1"}}
             ]}`
 	ExpectWithOffset(1, string(jsonConfig)).To(MatchJSON(expectedConfig))
